commit d171517afc217a667972ae5110c97fe030450310
author Dmitri Plotnikov <dplotnikov@google.com> Tue Apr 30 15:43:01 2024 -0700
committer Dmitri Plotnikov <dplotnikov@google.com> Tue Apr 30 15:43:01 2024 -0700
tree c67278ffb5767de3710e998eee37f32e8e76e28c
parent 5be651f1190fa9728cbe4915fff336c97025245d

Improve stability of battery stats history unparceling

If the battery history file is corrupted, the unparceling
code may call `parcel.setDataPosition` with an invalid
argument. This leads to an irrecoverable native crash
and process kill.  To avoid such a situation, we will be
checking the argument for validity before calling setDataPosition

Bug: 337977337
Test: atest FrameworksCoreTests:PowerStatsTest
Change-Id: Id4f1d7c27973eb975c0e7f87dc79491dc1b73101

core/java/com/android/internal/os/PowerStats.java

diff --git a/core/java/com/android/internal/os/PowerStats.java b/core/java/com/android/internal/os/PowerStats.java
index 7c7c7b8..9f9aae5 100644
--- a/core/java/com/android/internal/os/PowerStats.java
+++ b/core/java/com/android/internal/os/PowerStats.java
@@ -473,7 +473,14 @@
         } finally {
             // Unconditionally skip to the end of the written data, even if the actual parcel
             // format is incompatible
-            parcel.setDataPosition(endPos);
+            if (endPos > parcel.dataPosition()) {
+                if (endPos >= parcel.dataSize()) {
+                    throw new IndexOutOfBoundsException(
+                            "PowerStats end position: " + endPos + " is outside the parcel bounds: "
+                                    + parcel.dataSize());
+                }
+                parcel.setDataPosition(endPos);
+            }
         }
     }
 

core/tests/coretests/src/com/android/internal/os/PowerStatsTest.java

diff --git a/core/tests/coretests/src/com/android/internal/os/PowerStatsTest.java b/core/tests/coretests/src/com/android/internal/os/PowerStatsTest.java
index 6402206..baab3b2 100644
--- a/core/tests/coretests/src/com/android/internal/os/PowerStatsTest.java
+++ b/core/tests/coretests/src/com/android/internal/os/PowerStatsTest.java
@@ -168,6 +168,20 @@
         assertThat(end).isEqualTo("END");
     }
 
+    @Test
+    public void parceling_corruptParcel() {
+        PowerStats stats = new PowerStats(mDescriptor);
+        Parcel parcel = Parcel.obtain();
+        stats.writeToParcel(parcel);
+
+        Parcel newParcel = marshallAndUnmarshall(parcel);
+        newParcel.writeInt(-42);        // Negative section length
+        newParcel.setDataPosition(0);
+
+        PowerStats newStats = PowerStats.readFromParcel(newParcel, mRegistry);
+        assertThat(newStats).isNull();
+    }
+
     private static Parcel marshallAndUnmarshall(Parcel parcel) {
         byte[] bytes = parcel.marshall();
         parcel.recycle();